COOEY // HUBcompliance · community · intelligence

Exposures › CVE-2026-58123

CVE-2026-58123

Severity
critical
Source
NVD · cve
Published
2026-07-09
CVSS
9.8
Reference
https://nvd.nist.gov/vuln/detail/CVE-2026-58123
⚡ RCE shame 45/100 rceunpatchedexploited-in-wild

Hermes WebUI before 0.51.788 allows unauthenticated remote code execution via terminal API endpoints.

This critical vulnerability enables attackers to execute arbitrary shell commands without authentication by exploiting the embedded terminal API, posing a severe risk to DIB systems relying on Hermes WebUI for remote management. Organizations must immediately patch to version 0.51.788 or later to prevent unauthorized command execution and potential data exfiltration.

Shame score — The vulnerability is unauthenticated and allows full command execution, but it is not zero-day and has been disclosed publicly, making it a high-severity but avoidable failure if patched promptly.

Description

Hermes WebUI before 0.51.788 contains an unauthenticated remote code execution vulnerability that allows remote attackers to execute arbitrary shell commands by accessing the embedded terminal API endpoints without credentials. Attackers can create a session, attach a PTY shell, and write arbitrary commands through the terminal input endpoint to achieve full command execution as the server process user via four sequential unauthenticated HTTP requests.

Affected FedRAMP products 0 in the catalog

No correlated FedRAMP products.